diff --git a/include/libwebsockets/lws-genhash.h b/include/libwebsockets/lws-genhash.h index f27c3b9146..a78a94aa7c 100644 --- a/include/libwebsockets/lws-genhash.h +++ b/include/libwebsockets/lws-genhash.h @@ -51,6 +51,8 @@ enum lws_genhmac_types { #define LWS_GENHASH_LARGEST 64 +#if defined(LWS_WITH_TLS) && defined(LWS_WITH_GENCRYPTO) + struct lws_genhash_ctx { uint8_t type; #if defined(LWS_WITH_MBEDTLS) @@ -186,4 +188,6 @@ lws_genhmac_update(struct lws_genhmac_ctx *ctx, const void *in, size_t len); */ LWS_VISIBLE LWS_EXTERN int lws_genhmac_destroy(struct lws_genhmac_ctx *ctx, void *result); + +#endif ///@} diff --git a/lib/core-net/wol.c b/lib/core-net/wol.c index 8edada9064..eb6f6c6f67 100644 --- a/lib/core-net/wol.c +++ b/lib/core-net/wol.c @@ -79,7 +79,8 @@ lws_wol(struct lws_context *ctx, const char *ip_or_NULL, uint8_t *mac_6_bytes) ret = 0; bail: - close(fd); + if (fd >= 0) /* coverity */ + close(fd); return ret; } diff --git a/lib/core/logs.c b/lib/core/logs.c index 269f309882..bbda17a123 100644 --- a/lib/core/logs.c +++ b/lib/core/logs.c @@ -179,11 +179,11 @@ __lws_lc_untag(struct lws_context *context, lws_lifecycle_t *lc) //grp = lws_container_of(lc->list.owner, lws_lifecycle_group_t, owner); - lws_humanize(buf, sizeof(buf), +#if defined(LWS_LOG_TAG_LIFECYCLE) + if (lws_humanize(buf, sizeof(buf), (uint64_t)lws_now_usecs() - lc->us_creation, - humanize_schema_us); + humanize_schema_us) > 0) -#if defined(LWS_LOG_TAG_LIFECYCLE) lwsl_cx_notice(context, " -- %s (%d) %s", lc->gutag, (int)lc->list.owner->count - 1, buf); #endif diff --git a/lib/core/private-lib-core.h b/lib/core/private-lib-core.h index f894f2debc..a138e44309 100644 --- a/lib/core/private-lib-core.h +++ b/lib/core/private-lib-core.h @@ -1185,6 +1185,13 @@ lws_transport_mux_next_free(lws_transport_mux_t *tm, lws_mux_ch_idx_t *result); void sul_ping_cb(lws_sorted_usec_list_t *sul); +/* Added Declaration of this function to make common for openssl-server */ +#if defined(LWS_HAVE_SSL_CTX_set_keylog_callback) && \ + defined(LWS_WITH_TLS) +void +lws_klog_dump(const SSL *ssl, const char *line); +#endif + #if !defined(PRIu64) #define PRIu64 "llu" #endif diff --git a/lib/event-libs/libev/libev.c b/lib/event-libs/libev/libev.c index 4bdede78da..3f3f2a7f00 100644 --- a/lib/event-libs/libev/libev.c +++ b/lib/event-libs/libev/libev.c @@ -94,6 +94,7 @@ lws_accept_cb(struct ev_loop *loop, struct ev_io *watcher, int revents) struct lws_context_per_thread *pt; struct lws_pollfd eventfd; struct lws *wsi; + int tsi = 0; if (revents & EV_ERROR) return; @@ -112,10 +113,12 @@ lws_accept_cb(struct ev_loop *loop, struct ev_io *watcher, int revents) } wsi = wsi_from_fd(context, watcher->fd); - pt = &context->pt[(int)wsi->tsi]; + if (wsi) + tsi = (int)wsi->tsi; + pt = &context->pt[tsi]; ptpr = pt_to_priv_ev(pt); - lws_service_fd_tsi(context, &eventfd, (int)wsi->tsi); + lws_service_fd_tsi(context, &eventfd, tsi); ev_idle_start(ptpr->io_loop, &ptpr->idle); } @@ -413,6 +416,14 @@ elops_destroy_wsi_ev(struct lws *wsi) ev_io_stop(ptpr->io_loop, &w->w_write.watcher); } +static int +elops_wsi_logical_close_ev(struct lws *wsi) +{ + elops_destroy_wsi_ev(wsi); + + return 0; +} + static const struct lws_event_loop_ops event_loop_ops_ev = { /* name */ "libev", /* init_context */ elops_init_context_ev, @@ -420,7 +431,7 @@ static const struct lws_event_loop_ops event_loop_ops_ev = { /* destroy_context2 */ elops_destroy_context2_ev, /* init_vhost_listen_wsi */ elops_init_vhost_listen_wsi_ev, /* init_pt */ elops_init_pt_ev, - /* wsi_logical_close */ NULL, + /* wsi_logical_close */ elops_wsi_logical_close_ev, /* check_client_connect_ok */ NULL, /* close_handle_manually */ NULL, /* accept */ elops_accept_ev, diff --git a/lib/plat/unix/unix-systemd.c b/lib/plat/unix/unix-systemd.c index 405ae0e09a..8423469144 100644 --- a/lib/plat/unix/unix-systemd.c +++ b/lib/plat/unix/unix-systemd.c @@ -43,8 +43,10 @@ lws_systemd_inherited_fd(unsigned int index, info->vh_listen_sockfd = (int)(SD_LISTEN_FDS_START + index); - if (sd_is_socket_unix(info->vh_listen_sockfd, 0, 0, NULL, 0)) + if (sd_is_socket_unix(info->vh_listen_sockfd, 0, 0, NULL, 0)) { info->options |= LWS_SERVER_OPTION_UNIX_SOCK; + info->port = 0; + } if (sd_is_socket_inet(info->vh_listen_sockfd, AF_UNSPEC, 0, 1, 0)) { struct sockaddr_storage addr; diff --git a/lib/roles/h2/http2.c b/lib/roles/h2/http2.c index c7b481552a..8f4aa9e25c 100644 --- a/lib/roles/h2/http2.c +++ b/lib/roles/h2/http2.c @@ -2208,13 +2208,15 @@ lws_h2_parser(struct lws *wsi, unsigned char *in, lws_filepos_t _inlen, WSI_TOKEN_HTTP_CONTENT_LENGTH) && h2n->swsi->http.rx_content_length && h2n->swsi->http.rx_content_remain < - h2n->length && /* last */ + h2n->length - h2n->inside && /* last */ h2n->inside < h2n->length) { - lwsl_warn("%s: %lu %lu %lu %lu\n", __func__, + lwsl_warn("%s: rx.cl: %lu, rx.content_remain: %lu, buf left: %lu, " + "h2->inside: %lu, h2->length: %lu\n", __func__, + (unsigned long)h2n->swsi->http.rx_content_length, (unsigned long)h2n->swsi->http.rx_content_remain, - (unsigned long)(lws_ptr_diff_size_t(iend, in) + 1), - (unsigned long)h2n->inside, (unsigned long)h2n->length); + (unsigned long)(lws_ptr_diff_size_t(iend, in) + 1), + (unsigned long)h2n->inside, (unsigned long)h2n->length); /* unread data in frame */ lws_h2_goaway(wsi, diff --git a/lib/roles/http/client/client-http.c b/lib/roles/http/client/client-http.c index 57397fce90..30974dd3df 100644 --- a/lib/roles/http/client/client-http.c +++ b/lib/roles/http/client/client-http.c @@ -580,7 +580,7 @@ lws_http_client_http_response(struct lws *wsi) #endif -#if defined(LWS_WITH_HTTP_DIGEST_AUTH) +#if defined(LWS_WITH_HTTP_DIGEST_AUTH) && defined(LWS_WITH_TLS) static const char *digest_toks[] = { "Digest", // 1 << 0 @@ -591,7 +591,7 @@ static const char *digest_toks[] = { "response", // 1 << 5 "opaque", // 1 << 6 "qop", // 1 << 7 - "algorithm" // 1 << 8 + "algorithm", // 1 << 8 "nc", // 1 << 9 "cnonce", // 1 << 10 "domain", // 1 << 11 @@ -604,7 +604,7 @@ enum lws_check_basic_auth_results lws_http_digest_auth(struct lws* wsi) { uint8_t nonce[256], response[LWS_GENHASH_LARGEST], qop[32]; - int seen = 0, n, pend = -1, skipping = 0; + int seen = 0, n, pend = -1; char *tmp_digest = NULL; struct lws_tokenize ts; char resp_username[32]; @@ -677,8 +677,6 @@ lws_http_digest_auth(struct lws* wsi) break; case LWS_TOKZE_TOKEN_NAME_EQUALS: - if (skipping) - break; if ((seen & (1 << 15)) == (1 << 15) || pend != -1) /* no auth type token or disordered */ return LCBA_END_TRANSACTION; @@ -704,8 +702,6 @@ lws_http_digest_auth(struct lws* wsi) break; case LWS_TOKZE_QUOTED_STRING: - if (skipping) - break; if (pend < 0) return LCBA_END_TRANSACTION; @@ -757,8 +753,6 @@ lws_http_digest_auth(struct lws* wsi) case LWS_TOKZE_DELIMITER: if (*ts.token == ',') { - if (skipping) - break; if (pend != PEND_DELIM) return LCBA_END_TRANSACTION; @@ -766,11 +760,6 @@ lws_http_digest_auth(struct lws* wsi) break; } if (*ts.token == ';') { - if (skipping) { - /* try again with this one */ - skipping = 0; - break; - } /* it's the end */ e = LWS_TOKZE_ENDED; break; @@ -787,9 +776,6 @@ lws_http_digest_auth(struct lws* wsi) } while (e > 0); - if (e != LWS_TOKZE_ENDED) - return LCBA_END_TRANSACTION; - /* we got all the parts we care about? Realm + Nonce... */ if ((seen & 0xc) != 0xc) { @@ -1061,28 +1047,24 @@ lws_client_interpret_server_handshake(struct lws *wsi) #endif n = atoi(p); -#if defined(LWS_WITH_HTTP_DIGEST_AUTH) - if (n == 401 && lws_hdr_simple_ptr(wsi, WSI_TOKEN_HTTP_WWW_AUTHENTICATE)) { - if (!(wsi->stash && wsi->stash->cis[CIS_USERNAME] && - wsi->stash->cis[CIS_PASSWORD])) { - lwsl_err( - "Digest auth requested by server but no credentials provided " - "by user\n"); - return LCBA_FAILED_AUTH; - } - - if (0 != lws_http_digest_auth(wsi)) { - if (wsi) - goto bail3; - return 1; - } +#if defined(LWS_WITH_HTTP_DIGEST_AUTH) && defined(LWS_WITH_TLS) + if (n == 401 && lws_hdr_simple_ptr(wsi, WSI_TOKEN_HTTP_WWW_AUTHENTICATE)) { + if (!(wsi->stash && wsi->stash->cis[CIS_USERNAME] && + wsi->stash->cis[CIS_PASSWORD])) { + lwsl_err("Digest auth requested by server but no credentials provided by user\n"); + + return LCBA_FAILED_AUTH; + } + + if (lws_http_digest_auth(wsi)) + goto bail3; opaque = wsi->a.opaque_user_data; lws_close_free_wsi(wsi, LWS_CLOSE_STATUS_NOSTATUS, "digest_auth_step2"); wsi->a.opaque_user_data = opaque; return -1; - } + } ah = wsi->http.ah; #endif diff --git a/lib/roles/http/date.c b/lib/roles/http/date.c index 6ac42ba9cb..327ca601b1 100644 --- a/lib/roles/http/date.c +++ b/lib/roles/http/date.c @@ -150,7 +150,7 @@ lws_http_date_parse_unix(const char *b, size_t len, time_t *t) #endif #endif - return (int)*t == -1 ? -1 : 0; + return (int)(*t == -1 ? -1 : 0); } #if defined(LWS_WITH_CLIENT) diff --git a/lib/roles/http/server/server.c b/lib/roles/http/server/server.c index ff5b1255ea..e976e89d5e 100644 --- a/lib/roles/http/server/server.c +++ b/lib/roles/http/server/server.c @@ -93,7 +93,7 @@ _lws_vhost_init_server_af(struct vh_sock_args *a) int n, opt = 1, limit = 1, san = 2; lws_sockfd_type sockfd; struct lws *wsi; - int m = 0, is; + int m = 0, is = 0; #if defined(LWS_WITH_IPV6) int value = 1; #endif diff --git a/lib/system/smd/smd.c b/lib/system/smd/smd.c index f412b61817..be6fbb4c64 100644 --- a/lib/system/smd/smd.c +++ b/lib/system/smd/smd.c @@ -533,17 +533,16 @@ _lws_smd_msg_deliver_peer(struct lws_context *ctx, lws_smd_peer_t *pr) msg = lws_container_of(pr->tail, lws_smd_msg_t, list); - - lwsl_cx_info(ctx, "deliver cl 0x%x, len %d, refc %d, to peer %p", + lwsl_cx_info(ctx, "deliver cl 0x%x, len %d, to peer %p", (unsigned int)msg->_class, (int)msg->length, - (int)msg->refcount, pr); + pr); pr->cb(pr->opaque, msg->_class, msg->timestamp, ((uint8_t *)&msg[1]) + LWS_SMD_SS_RX_HEADER_LEN_EFF, (size_t)msg->length); - +#if !defined(__COVERITY__) assert(msg->refcount); - +#endif /* * If there is one, move forward to the next queued * message that meets the filters of this peer diff --git a/lib/tls/CMakeLists.txt b/lib/tls/CMakeLists.txt index 230b0d29ad..7751cc7ba4 100644 --- a/lib/tls/CMakeLists.txt +++ b/lib/tls/CMakeLists.txt @@ -271,7 +271,9 @@ if (LWS_WITH_SSL) find_package(PkgConfig QUIET) pkg_check_modules(PC_OPENSSL openssl QUIET) find_package(OpenSSL REQUIRED) - list(APPEND OPENSSL_LIBRARIES ${PC_OPENSSL_LINK_LIBRARIES}) + if (NOT OPENSSL_FOUND AND PC_OPENSSL_FOUND) + list(APPEND OPENSSL_LIBRARIES ${PC_OPENSSL_LINK_LIBRARIES}) + endif() set(OPENSSL_LIBRARIES ${OPENSSL_LIBRARIES} PARENT_SCOPE) endif() set(OPENSSL_INCLUDE_DIRS "${OPENSSL_INCLUDE_DIR}") diff --git a/lib/tls/openssl/openssl-client.c b/lib/tls/openssl/openssl-client.c index da72ecba2a..003a870e59 100644 --- a/lib/tls/openssl/openssl-client.c +++ b/lib/tls/openssl/openssl-client.c @@ -711,7 +711,7 @@ lws_tls_client_vhost_extra_cert_mem(struct lws_vhost *vh, #if defined(LWS_HAVE_SSL_CTX_set_keylog_callback) && \ defined(LWS_WITH_TLS) && defined(LWS_WITH_CLIENT) -static void +void lws_klog_dump(const SSL *ssl, const char *line) { struct lws *wsi = SSL_get_ex_data(ssl, diff --git a/lib/tls/openssl/openssl-server.c b/lib/tls/openssl/openssl-server.c index 1fc8192933..083e0d8da9 100644 --- a/lib/tls/openssl/openssl-server.c +++ b/lib/tls/openssl/openssl-server.c @@ -529,6 +529,11 @@ lws_tls_server_vhost_backend_init(const struct lws_context_creation_info *info, error, s); return 1; } + /* Added for sniffing packets on hub side */ +#if defined(LWS_HAVE_SSL_CTX_set_keylog_callback) && \ + defined(LWS_WITH_TLS) + SSL_CTX_set_keylog_callback(vhost->tls.ssl_ctx, lws_klog_dump); +#endif SSL_CTX_set_ex_data(vhost->tls.ssl_ctx, openssl_SSL_CTX_private_data_index, diff --git a/lib/tls/tls-network.c b/lib/tls/tls-network.c index 4d6ab95e7a..4a1e14391e 100644 --- a/lib/tls/tls-network.c +++ b/lib/tls/tls-network.c @@ -90,8 +90,8 @@ lws_tls_check_cert_lifetime(struct lws_vhost *v) return 1; life = (ir.time - now) / (24 * 3600); - lwsl_vhost_notice(v, " vhost %s: cert expiry: %dd", v->name, - (int)life); + lwsl_vhost_notice(v, " vhost %s: cert expiry: %lldd", v->name, + (long long)life); } else lwsl_vhost_info(v, " vhost %s: no cert", v->name); diff --git a/minimal-examples-lowlevel/secure-streams/minimal-secure-streams-blob/CMakeLists.txt b/minimal-examples-lowlevel/secure-streams/minimal-secure-streams-blob/CMakeLists.txt index d619826414..33827ae96e 100644 --- a/minimal-examples-lowlevel/secure-streams/minimal-secure-streams-blob/CMakeLists.txt +++ b/minimal-examples-lowlevel/secure-streams/minimal-secure-streams-blob/CMakeLists.txt @@ -15,6 +15,7 @@ require_lws_config(LWS_WITH_SECURE_STREAMS_STATIC_POLICY_ONLY 0 requirements) require_lws_config(LWS_WITH_SYS_STATE 1 requirements) require_lws_config(LWS_WITH_GENCRYPTO 1 requirements) require_lws_config(USE_WOLFSSL 0 requirements) +require_lws_config(LWS_WITH_SSL 1 requirements) if (requirements) add_executable(${SAMP} minimal-secure-streams.c)